Chinese hackers accused of targeting US defence firms linked to South China Sea
Cybersecurity group says companies were targeted for information that could prove useful for Beijing in disputed maritime waters
As support for the “is traditional spying/intelligence gathering obsolete?’ argument from the previous post – yet another example of state sponsored infiltration – in this case China. Apparently a state sponsored hack against civilian engineering and defense contracting companies that was specifically targeting information on how accurate current navigational equipment is with regard to geographic way-points in the South China Sea. The technique used seems to be a favorite for all spy’s – spear phishing.
What makes this article particularly interesting is that the US had a previous agreement with China that both countries would NOT target civilian’s or civilian organizations – so much for ‘agreements 🙂
Although most of these predictions, (Huge Data Breaches, Ransomware in the Cloud, etc.), seem to be almost a given, two predictions stand out to me:
Weaponization of AI is potentially the scariest – releasing open sourcing frameworks and tools for AI,(Elon Musk’s OpenAI initiative for example) gives potential adversaries that have few capital resources to expend in this area access to technology that has greater destructive potential than nuclear weapons.
True, the alternative of a single country controlling that sort of technology alone is scary but this gives almost any impoverished, unstable regime in the world an ability to literally hold the world hostage. (see: The World’s Ten most Unstable Countries http://www.newsweek.com/world-ten-most-unstable-countries-511821).
The second, less ‘politically charged” but equally interesting prediction is the (potential) theft of (distributed computational resources for cryptocurrency mining. This, I think could really be something to watch for especially because there is a potential motivation for Governments to get into the act.
In fact, Russia recently assisted Venezuela in standing up its own Cryptocurrency trading system as a way of circumventing sanctions.
I think that this sort of activity (stealing compute cycles, ‘dark cryptocurrency exchanges’, etc), will probably accelerate to the point where any kind of future sanctions may become largely irrelevant – making the world that much more unstable – as if it’s not unstable enough already;)
IETF has approved TLS version 1.3 after 4 years and 28 draft discussions! Among the improvements, legacy encryption algorithms have been removed as options. This is a big deal because with TLS 1.2 and below, weak/already broken ciphers were frequently included in the list of algorithms that the server would send back to the client during the session setup negotiation process. This created a vulnerability whereby a malicious client could conceivably get the server to accept/agree upon the use of something like RSA or DES instead of something like AES for the session ciphers.
1. Susceptibility to replay attacks:
“There are no guarantees of non-replay between connections. Protection against replay for ordinary TLS 1.3 1-RTT data is provided via the server’s Random value, but 0-RTT data does not depend on the ServerHello and therefore has weaker guarantees. This is especially relevant if the data is authenticated either with TLS client authentication or inside the application protocol. The same warnings apply to any use of the early_exporter_master_secret.”
2. PSK Identity Exposure: An attacker could potentially identify whether a given PSK identity is valid
Pretty cool – got Ettercap running just using VM’s and Kali!
I posted a 9 minute video (with the PDF of the slides) of an example of an Ettercap M-t-M attack running on Hyper-V VMs only. I don’t know if it’s because Hyper-V was used for the VMM or if it works on VMW/Virtualbox VMM’s as well (happy to send the Hyper-V .vhdx VM files that you can convert to VMW if you want).
The example just shows a router VM and a Windows8.1 VM with Kali VM running Ettercap on the same subnet. The example shows all ARP caches and MAC addresses as they should be. Then we turn on Ettercap, and watch a DHCP exchange between the Win8.1 and the DHCP server. Then we have Ettercap scan for hosts (the entire subnet). We turn on wireshark on the Win8.1 VM to watch its ARP cache being poisoned. We then turn on ARP Poisoning on Ettercap and look at the flood. We turn on TCPDUMP on the Kali/Ettercap VM and bring up a Yahoo session on the Windows8.1 VM (and watch the packets get dumped into the Kali VM).
Finally, we turn off Ettercap and go back to the Win8.1 VM to see how quickly the (previously poisoned) ARP cache gets restored back to normal.
I was reading an interesting article about a website that shows you have to create your own ransomware. I don’t know how easy it would be to create ransomware but like the professor said during class you don’t have to be a genius to figure how to carry out malicious attack.
Definition of Ransomware:
“Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key”
FBI: IRANIAN FIRM STOLE DATA IN MASSIVE SPEAR PHISHING CAMPAIGN
I don’t often hear about the Iranians using cyberwarfare on the offensive. Usually its the Russians, Chinese or North Koreans or any number of others. I would like to talk to someone in the industry and see how they gauge the value of the property stolen, even if you get the blueprints to some engineering, what are the odds they have the capabilities to reproduce it? Still, not a good sign for US companies.
Vince Kelly says
Chinese hackers accused of targeting US defence firms linked to South China Sea
Cybersecurity group says companies were targeted for information that could prove useful for Beijing in disputed maritime waters
http://www.scmp.com/news/china/diplomacy-defence/article/2137496/chinese-hackers-accused-targeting-us-defence-firms
As support for the “is traditional spying/intelligence gathering obsolete?’ argument from the previous post – yet another example of state sponsored infiltration – in this case China. Apparently a state sponsored hack against civilian engineering and defense contracting companies that was specifically targeting information on how accurate current navigational equipment is with regard to geographic way-points in the South China Sea. The technique used seems to be a favorite for all spy’s – spear phishing.
What makes this article particularly interesting is that the US had a previous agreement with China that both countries would NOT target civilian’s or civilian organizations – so much for ‘agreements 🙂
Vince Kelly says
Six Cyber Threats to Really Worry About in 2018
From AI-powered hacking to tampering with voting systems, here are some of the big risks on our radar screen.
https://www.technologyreview.com/s/609641/six-cyber-threats-to-really-worry-about-in-2018/
Although most of these predictions, (Huge Data Breaches, Ransomware in the Cloud, etc.), seem to be almost a given, two predictions stand out to me:
Weaponization of AI is potentially the scariest – releasing open sourcing frameworks and tools for AI,(Elon Musk’s OpenAI initiative for example) gives potential adversaries that have few capital resources to expend in this area access to technology that has greater destructive potential than nuclear weapons.
True, the alternative of a single country controlling that sort of technology alone is scary but this gives almost any impoverished, unstable regime in the world an ability to literally hold the world hostage. (see: The World’s Ten most Unstable Countries http://www.newsweek.com/world-ten-most-unstable-countries-511821).
The second, less ‘politically charged” but equally interesting prediction is the (potential) theft of (distributed computational resources for cryptocurrency mining. This, I think could really be something to watch for especially because there is a potential motivation for Governments to get into the act.
Cryptocurrencies have become the perfect tool for countries to circumvent political sanctions – (“Russia Ministry of Finance to leaglize Cryptocurrency Trading” https://www.google.com/search?q=russia+opens+cryptocurrency+exchange&rlz=1C1CHZL_enUS755US755&oq=russia+opens+cryptocurrency+exchange&aqs=chrome..69i57.11617j0j7&sourceid=chrome&ie=UTF-8,
“South Korea says North stole cryptocurrency worth billions of won last year”
https://www.cnbc.com/2018/02/05/south-korea-says-north-stole-cryptocurrency-worth-billions-of-won-last-year.html, etc. ).
In fact, Russia recently assisted Venezuela in standing up its own Cryptocurrency trading system as a way of circumventing sanctions.
I think that this sort of activity (stealing compute cycles, ‘dark cryptocurrency exchanges’, etc), will probably accelerate to the point where any kind of future sanctions may become largely irrelevant – making the world that much more unstable – as if it’s not unstable enough already;)
Vince Kelly says
The web will soon be a little safer with the approval of this new security standard
https://finance.yahoo.com/news/soon-little-safer-approval-security-002714794.html
IETF has approved TLS version 1.3 after 4 years and 28 draft discussions! Among the improvements, legacy encryption algorithms have been removed as options. This is a big deal because with TLS 1.2 and below, weak/already broken ciphers were frequently included in the list of algorithms that the server would send back to the client during the session setup negotiation process. This created a vulnerability whereby a malicious client could conceivably get the server to accept/agree upon the use of something like RSA or DES instead of something like AES for the session ciphers.
The TLS 1.3 specification does describe a few potential vulnerabilities with the new draft however – the draft appendix page 147/148 (https://tools.ietf.org/html/draft-ietf-tls-tls13-28#appendix-E.5 ) outlines three potential exploits:
1. Susceptibility to replay attacks:
“There are no guarantees of non-replay between connections. Protection against replay for ordinary TLS 1.3 1-RTT data is provided via the server’s Random value, but 0-RTT data does not depend on the ServerHello and therefore has weaker guarantees. This is especially relevant if the data is authenticated either with TLS client authentication or inside the application protocol. The same warnings apply to any use of the early_exporter_master_secret.”
2. PSK Identity Exposure: An attacker could potentially identify whether a given PSK identity is valid
3. The potential to impersonate a server
Vince Kelly says
Pretty cool – got Ettercap running just using VM’s and Kali!
I posted a 9 minute video (with the PDF of the slides) of an example of an Ettercap M-t-M attack running on Hyper-V VMs only. I don’t know if it’s because Hyper-V was used for the VMM or if it works on VMW/Virtualbox VMM’s as well (happy to send the Hyper-V .vhdx VM files that you can convert to VMW if you want).
The example just shows a router VM and a Windows8.1 VM with Kali VM running Ettercap on the same subnet. The example shows all ARP caches and MAC addresses as they should be. Then we turn on Ettercap, and watch a DHCP exchange between the Win8.1 and the DHCP server. Then we have Ettercap scan for hosts (the entire subnet). We turn on wireshark on the Win8.1 VM to watch its ARP cache being poisoned. We then turn on ARP Poisoning on Ettercap and look at the flood. We turn on TCPDUMP on the Kali/Ettercap VM and bring up a Yahoo session on the Windows8.1 VM (and watch the packets get dumped into the Kali VM).
Finally, we turn off Ettercap and go back to the Win8.1 VM to see how quickly the (previously poisoned) ARP cache gets restored back to normal.
https://www.dropbox.com/sh/myuz5kmq8llgogy/AABGN4yYKRJSn86dlkq4ziCXa?dl=0
Joseph Nguyen says
Nice thanks for sharing, will try this.
Sheena L. Thomas says
Ransomware as a Service
I was reading an interesting article about a website that shows you have to create your own ransomware. I don’t know how easy it would be to create ransomware but like the professor said during class you don’t have to be a genius to figure how to carry out malicious attack.
https://isc.sans.edu/forums/diary/Ransomware+as+a+Service/23277/
Definition of Ransomware:
“Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key”
https://www.trendmicro.com/vinfo/us/security/definition/ransomware
Fraser G says
https://threatpost.com/fbi-iranian-firm-stole-data-in-massive-spear-phishing-campaign/130776/
FBI: IRANIAN FIRM STOLE DATA IN MASSIVE SPEAR PHISHING CAMPAIGN
I don’t often hear about the Iranians using cyberwarfare on the offensive. Usually its the Russians, Chinese or North Koreans or any number of others. I would like to talk to someone in the industry and see how they gauge the value of the property stolen, even if you get the blueprints to some engineering, what are the odds they have the capabilities to reproduce it? Still, not a good sign for US companies.